Many companies use "pop-up banners" to help remind employees of the rules and policies governing their systems. These banners are also intended to add a degree of legal protection by noting that the employee has limited rights to privacy when using company computers and networks.
But what if the employee owns the computer? How does BYOD (bring your own device) affect the rights of the employer and employee?
While your employees enjoy the freedoms of BYOD -- whether company supported or not -- this new norm does not mean your network or intellectual property have to be left unprotected.
And it doesn't mean your corporate investigations come to a halt. Encouraging your employees to register their devices for free Wi-Fi and/or company email can not only help protect your data with company-supported encryption, firewalls, etc., but it can also help your investigations by pushing the once untraceable gadget into a corner. As discussed in Use your own Flame spyware for investigations, 4 cheap options to monitor networks for evidence, and How to build your own digital forensics lab - for cheap there are plenty of options to protect and capture data, even on iPhones, tablets and personal computers.
No, the hard part of the equation is creating a policy to legally view this data.
Today's "banner" can't be a simple pop-up that the end-user acknowledges each time he or she turns on her company-owned computer or logs into a company VPN. The verbiage needs to be a lot more focused and designed to cover all forms of DATA on company-owned devices AND user-owned devices.
Employees need to acknowledge (repeatedly) they understand the policy and how enforcement works so when the time comes to capture data on an employee's home computer or personal cell phone (yes, home computer) you can legally do so.
Creating a policy always needs to be done with cooperation among your legal team, IT department, human resources group and maybe a third party lawyer to help review. However, the basic details can be written on your own to cover your bases.
Your new policy, and the pop-up banner that explains and reminds, needs to have at least four parts that are clearly understandable to your users:
Purpose of policy,
Focus of policy,
Failure to Abide By and
Each part is critical to the whole policy holding up in court, should it ever be challenged. Let's look at each one.
Purpose of Policy
The purpose of the policy is clear: to protect your network and employees.
A good introduction can outline the common need to help secure your company's IP, create a harassment free environment, etc. This reminds the user that your policy isn't designed with big brother in mind, but to protect the network. Here is an example compiled from a number of Department of Defense-related systems:
Sign up for Computerworld eNewsletters.